Protecting software IP: what engineers need to know

Intellectual property protection and piracy prevention are not new issues for software vendors, but strategies and opinions vary on how best to combat those threats.

Every successful independent software vendor has been the target of visible piracy activity. In fact, the piracy groups boldly announce their efforts in .NFO files and make the pirated software, or "cracked" releases, available to various distribution channels, such as Secure FTP, P2P, IRC and the Web.

The crackers use a combination of reverse-engineering tools, existing knowledge bases and their machine code expertise to disable licensing mechanisms within software. These same tactics can be used to gain access to sensitive IP contained in software, which is more a threat from emerging competitors or foreign governments than from piracy groups.

Approaches for combating IP theft and piracy include software protection technology and piracy business intelligence. Software protection technology makes software resistant to reverse engineering and tampering. It is not an absolute security measure, but a way of making code difficult to disassemble and modify once compiled. Common protection features include anti-debugging and code encryption.

Anti-debugging techniques aim to prevent debuggers or disassemblers from attaching to running applications. Anti-debug logic looks for specific signatures, hooks and APIs used by debuggers to take control of the application. Although such approaches are commonly used, advances in virtual machines are making them less effective.

Mostly leveraged for intermediate language frameworks such as .NET and Java, code obfuscation attempts to confuse the reverse engineer by renaming variables, encrypting strings and using more advanced techniques to alter the code flow. But obfuscation is passive in the sense that an individual can still decompile the application easily.

Code encryption is another method. In the early days of software protection, packers or wrapping approaches had limited protection capabilities since they decrypted the entire application into memory at run-time. As protection solutions evolved, they concentrated on minimizing the availability of decrypted code in memory by using just-in-time code decryption. By decrypting functions as they are needed and then re-encrypting them, the amount of code decrypted memory at any point in time is minimized.

To advance software protection, developers turned to kernel-level integration such as device drivers. This level of integration provided a better defense against sophisticated debuggers. However, it can also introduce unwanted dependencies and be intrusive for honest users.

Finally, some advanced protection tools turned to embedded customized virtual machines to secure their run-time protection process as well as convert the application code into a vendor-unique format. This effectively obscures the protection process, but it can hamper application performance.

Business intelligence

Given the limitations of software protection and the need to understand the true loss associated with piracy, some developers have instrumented "phone home" capabilities into their applications to gather software usage data. Piracy business intelligence extends phone-home systems to identify the infringing company. Such approaches are triggered when pirated software use is detected; the business intelligence technology then collects enough information to identify the infringing organization. The vendor can then pursue organizations directly to recover license revenue, leverage the business intelligence to extend partnerships in regions with high piracy rates or even take legal action to recoup lost revenue.

In implementing a piracy business intelligence system, a variety of capabilities should be in place.

Software piracy is frequently enabled by disabling or spoofing the license enforcement embedded in the software. The three main approaches used to do that are binary patch, key generators and leveraging license enforcement vulnerabilities. Each of these can have a unique signature that helps to detect and then activate the reporting of unlicensed use.

Piracy detection does just what it says: By detecting for these signatures, it lets you report only on unlicensed use for your software, without affecting licensed customers. To determine which approach is used with your software, you will need to download and analyze current and past crack releases of software.

The key to piracy business intelligence is to lie dormant during the piracy crack cycle and delay the activation of reporting until the software is being used by an organization. If the functionality is implemented within licensing functions and is visible to the piracy groups, then it will get disabled. One of the best ways to evade detection is to trigger the piracy detection and report on a feature set in the software that indicates the use of the IP. For example, a CAE application may activate its reporting when a simulation is run. Piracy groups generally QA only their cracks to the licensing systems and not complete applications.

Data collection is another key aspect of piracy business intelligence. Reporting should focus on identifying the organization rather than individual users of pirated software. The potential for recovering revenue is much higher from an organization than from an end user. Information collected from the registry, APIs and environment variables can help identify the organization.

Collecting data is critical to piracy business intelligence, but equally important is how the data is organized, filtered and correlated into actionable leads that other business units can use to recover revenue. Toward that end, create a piracy dashboard. Although you can build this functionally from scratch, there are already software-as-a-service application platforms that offer the building blocks for reporting and lead management. One example is Salesforce.com, which provides lead management workflow, reporting and integrated dashboards.

Protecting your software IP and license revenue is critical, given the risks in emerging markets as well as the continuing growth of software piracy. However, developers should make an informed decision before adding protection measures into their applications, given the potential impact to their customers and the complexity it can introduce in the development process.

Protection might be necessary if your application contains valuable IP and is developed in C# and the Microsoft .NET platform. Such applications are trivial to reverse engineer and require some level of protection to make them less of a target to hackers or even curious end users.

If the goal is to prevent or deter piracy, then piracy business intelligence may offer a better solution or, at the very least, the first step. Because such intelligence will help quantify the piracy rates for your specific market or application, the data it gathers can justify other anti-piracy investments.

Your organizational focus--especially in today's market--is likely to be on license revenue over everything else. The intelligence approach can generate actionable leads from unlicensed use and should have minimal product development impact. This approach can be easily justified and provides a quicker way to respond to software IP threats.

Before deciding on an anti-piracy strategy, software vendors must first measure and quantify just how large and wide their problem is.

If you believe your IP was stolen, you can use CodeSuite, our set of leading-edge software forensics tools. For more information or to download a free copy, visit the SAFE Corporation website www.SAFE-corp.biz.

Definitely do what you can to protect your software IP. But if you think it's been stolen, you'll need our CodeSuite tools for comparing and analyzing software IP. Learn more at the Software Analysis & Forensic Engineering website (www.SAFE-corp.biz).